Found this article on MSNBC, but look at the end of the article:

"Symantec also said it expects more viruses and worms in the future to be written to attack systems that run on the Linux operating system and hand-held devices as they become more widely used."

http://www.msnbc.msn.com/id/6053724/

Is this seriously something to be concerned about?

they are just playing on the old myth that the reason why viruses aren't a problem on linux is because it's not yet popular on the desktop...

they wanna start setting the stage, so that when linux becomes popular on the desktop, they'll be able to sell their software on the linux desktop market...

remember, invention is the mother of necessity...

maybe distros that run regular user's apps as root (like linspire) could be benefitted by using anti-whatever software, but not real distros...

if you'd need to have some third-party anti-whatever software to be able to run a regular linux distro securely, then that means the distro is broken... on a non-broken distro, the only way to get a virus is to install unchecked binaries as root...

i agree, they can see the writing on the wall, and are going to try to profit by selling as much unneeded software as possible before the new crop of linux users catch on to the scam. rootkits, trojans, and worms are another issue, but can be defended against with proper configuration.

This has been argued in way more threads on this forum in the last two years than I care to remember. On the one hand, yes Anti-Virus companies live off of hysteria because it always benefits their sales. On the other hand, separation between the administrative user and an unprivileged user in Linux means very little when it comes to viruses. Just because a virus couldn't immediately "root" you box doesn't mean it can't do damage. Here are the reasons why Linux viruses would still be just as bad as Windows viruses:

1.) The only part of your system that really cannot be replaced is the data you create, and the user will have write access to that data. Unless you back it up (and most people don't), a virus could wipe it all out. Remember, you can always reinstall the OS from CDs or the Internet, but you can't reinstall the stuff you created (websites, graphics, photos, papers, homework, etc). This is no different than on Windows.

2.) There are many, many malicious things that malware can do on a system without root. Most current worms and malware install open proxies or hidden daemons for sending spam, hosting scam websites, and participating in DDoS attacks. None of those require root.

3.) The only thing that's more secure on Linux is the e-mail clients, and even that distinction is growing thin (as recent vulnerabilities in the Mozilla family show). There has also been a long history of string handling problems in PINE. The only real advantage is that Open Source e-mail clients don't automatically execute code (yet). It seems like GNOME might be getting close to that with their new MIME handling. Even though they don't execute code, users are still susceptible to social engineering attacks that make up most of the Windows e-mail exploits any way.

4.) Most Linux distributions do not have any more inherent protection than Windows, and many have less. Win2K3 has a stack guard, WinXP SP2 has NX support, etc... Most Linux distributions don't yet even have that protection. Only those with grsec, or PaX by default have the level of security that current Windows has.

So yes, I think that the main reason that Linux hasn't yet become a big target for malware is because there aren't enough installed hosts under end-user control to make it interesting. Most of the Linux deployments are servers that are behind firewalls and proxies, and probably have intrusion detection systems watching them. Most end-user machines don't approach that level of security, and most end-users don't have the savvy to use such tools.

The other reason is really the same issue put another way, but since there are so many Linux distributions and so many of them are setup radically different (by default), that the same exploit will almost never work on all Linux distributions. The result is that attackers usually have to write several different exploits to go after the same vulnerability. Of course there are some exploits that don't require using shell code, such as discovering poorly named and passworded accounts via SSH.

No operating systme is invincible, especially if it hasn't gone out of it's way to specifically prevent security threats. It would be extremely naive to think you can never get exploited.

i think it means a lot: under normal circumstances, no malware that a regular user executes will infect the system, or the other users' accounts on the system (unless of course an exploit is used)...

that might not be anything close to "complete immunization", but it's a lot better than what you have to deal with on "other" operating systems...

Quote:

There are many, many malicious things that malware can do on a system without root.

if someone can affect your system without being root, something is wrong (an exploit is being used, for example)... i'm sure you meant "user account", not "system"...

Quote:

Most current worms and malware install open proxies or hidden daemons for sending spam, hosting scam websites, and participating in DDoS attacks. None of those require root.

are you talking about linux or windows?? if linux, could you please post some examples?? maybe some links or something?? this is very interesting...

Quote:

The only thing that's more secure on Linux is the e-mail clients... Most Linux distributions do not have any more inherent protection than Windows, and many have less... I think that the main reason that Linux hasn't yet become a big target for malware is because there aren't enough installed hosts under end-user control to make it interesting...

wow, those are pretty bold statements...

Quote:

It would be extremely naive to think you can never get exploited.

yes, it would... but exploits are a different issue...

quote:
Originally posted by chort
separation between the administrative user and an unprivileged user in Linux means very little when it comes to viruses.

i think it means a lot: under normal circumstances, no malware that a regular user executes will infect the system, or the other users' accounts on the system (unless of course an exploit is used)...

that might not be anything close to "complete immunization", but it's a lot better than what you have to deal with on "other" operating systems...

No, it really doesn't mean anything. When I say "system" I mean "on the machine". Since the user account resides "on the machine", it's part of the system. Does that mean Linux malware can mess with the functioning of the OS itself? Not necessarily, but it doesn't have to. Didn't you pay attention at all to my comments about the only valuable thing on a system being the data? I notice you didn't quote that section. Windows users can reinstall their OS, so can Linux users. What is really irrepairable in both situations is the data and in both Windows and Linux that data is user-writable (because that user created it). The only time that is not true is on multi-user systems (i.e. one user getting compromised can't affect all user-data on the system, but they can still wipe out their own), but the vast majority of machines that are getting exploited are not multi-user (i.e. they're desktop machines, or user-less application servers).

Also, I'll add something here that I didn't mention before, and that is that an exploit to gain local privileges makes it exponentially easier to get root. In the last year there have been about 8 different local exploits that could work against the Linux kernel itself (the kernel, not outside applications!) to get root access. That's many more than on Windows in the same time frame. Most Windows exploits these days are for IE or OL.



quote:
There are many, many malicious things that malware can do on a system without root.

if someone can affect your system without being root, something is wrong (an exploit is being used, for example)... i'm sure you meant "user account", not "system"...

This is purely semantics. The user account is part of the system, and yes there are plenty of bad things you can do with only access to a user account or user privileges. Also, as I said above having a local account makes it much more easy to get root.

quote:
Most current worms and malware install open proxies or hidden daemons for sending spam, hosting scam websites, and participating in DDoS attacks. None of those require root.

are you talking about linux or windows?? if linux, could you please post some examples?? maybe some links or something?? this is very interesting...

I'm talking about in general, but it applies to rootkits that have been seen in the wild for Linux. My job is messaging security, it's what I do all day. I've given talks and presentations to groups all up and down the Pacific coast. For example, over 50% of the spam now being sent comes from compromised machines. If you think about it, none of the things I listed above require root. A user can bind to any ports > 1023, so you can make a proxy, HTTP daemon, or SMTP relay listen without being root. You do not need to bind to any ports (to listen, any way) at all to send mail (such as from a client), so sending spam can and is easily be done by automated scripts.

If that's not enough for you, read this article. You'll notice that the only reason this sysadmin even found the spam zombie was because he had patched his kernel with the grsec extensions.

This is why I make such a big deal about most Linux distros not having grsec/PaX/SELinux by default. Sure it's a little tougher to test and some applications might not work right, but it's worth it. If some applications don't work correctly after secureing the OS, than obviously the maintainers of those applications need to fix their programs to work in a secure environment.

quote:
The only thing that's more secure on Linux is the e-mail clients...

Most Linux distributions do not have any more inherent protection than Windows, and many have less...

I think that the main reason that Linux hasn't yet become a big target for malware is because there aren't enough installed hosts under end-user control to make it interesting...

wow, those are pretty bold statements...

Well yes, but do you see any reason why they're not well informed opinions? The difference in Linux is that e-mail clients won't automatically try to display most attachments (although many of them do show images), and that the clients are not currently tightly tied to the browser. Those are the two main areas where Windows gets exploited time after time. The other one of course being the flawed concept of "security zones" in the IE browser. Of course, the Mozilla and Opera browsers have had a ton of security flaws themselves, so there's hardly room to brag there (but hey, at least they don't have "security zones"!).


quote:
It would be extremely naive to think you can never get exploited.

yes, it would... but exploits are a different issue...

Huh? How are exploits different? Viruses (in the strictest sense of the word) rely on social engineering, but worms (again, in the strict sense) can propagate on their own. Viruses don't necessarily use any exploits at all because once a user has been tricked into opening them, they act like any other program the user has access to. Worms of course do rely on exploits to spread. However, this is semantics again, when Anti-Virus companies talk about "viruses" they in general mean "malware" (although often spyware is excluded, for some reason). A pure virus could work equally well on Linux as Windows, because you're tricking the user into doing something unsafe. This is where Linux having (currently) safer e-mail clients helps. As for worms, well Linux is no better at all because there have been a whole plethora of remotely exploitable bugs in Linux over the years, and this trend continues to current day with no change in sight.

Now, don't get me wrong and believe that I think Linux-based OSs are bad, or that Windows is better (or even OK), but I'm just trying to educate people and get them out of the mode of thinking "hey I'm invincible because I run Linux". In fact, the nice thing about Linux (and BSD) is that you can have a much greater degree of control over the OS. You can shut down all services--i.e. you don't need RPC on to run the system... whoops, Windows must have that, so you can't remove vulnerabilities that way! The kernel level packet filter can block outgoing traffic as well as incoming, and you can block any traffic on any interface, not just what you're "allowed" to block. You can whole-sale uninstall most of the applications (unless of course the author was totally irresponsible and built it against so many libraries that everything depends on each other, which is a situation I've seen a few times). You can recompile your kernel to take out certain drivers or features (if really necessary). You can apply kernel-level patches to enhance security--which should be done BY DEFAULT, please complain to your favorite Linux distro--in Windows all the security add-ons have to be userland utilties. I could go on and on as far as the degree of control...

The reason we're moving our product line to Linux appliances (rather than Windows software) is because we have a huge degree of flexibility to increase security on the system, which is something we never had with the Windows platform. It also makes support and upgrades much, much easier and this is because we have total control of the OS image being sent out (i.e. we rip out 70% of the Linux distribution we use as the base OS and customize the rest, but we always know what our OS image will look like, so upgrading it is always the same).

So there, I don't hate Linux, I just think there's a whole lot of room for improvement. What users need to do is a) realize they're not safe just because they're running Linux b) remember to patch your system every time a security update comes out c) harden your configuration by shutting down services and installing a good firewall d) install kernel-level security to protect against buffer overflows e) loudly petitions the maintainers of your favorite distro to do c and d by default, so when you install your brand spankin new Linux system it's already well protected. To be fair, a lot of distros now install a firewall by default, but many of them are quite pathetic (like lokkit) and a lot of times they cause users so much confusion that the user just disables them to get things working (usually P2P, or a web server). The firewall controls must have an obvious way for a user to let through P2P traffic and open incoming ports to well known services, other wise users will continue to disable them. As for the kernel security, this is almost totally ignored by most of the major Linux distros. So far the only one I know of who plans to ship a hardened by default kernel is Red Hat.

okay, i get what you're saying now... it makes sense...

you're right, the data is what it's all about...

thanks for the link, i've bookmarked the article so i can read it later...

it seems one of the main issues here is that even though (without an exploit) a regular user can't affect the "operating system files", anything he executes as himself can affect his "personal files"... right??

okay, so then i must ask: what can we do to fix this situation?? how can we make everything more secure, to the point where the stuff that the user executes will have just or almost as hard a time editing their own user files as it does editing the system files??

what would a user-level anti-malware program or configuration for linux work like?? do any exist??

you can stop a user from accidentaly turning the machine into a proxy (for example) by using your firewall, but how do you prevent malware from damaging the files in their home folder??

is there a way to configure your install so that users can only execute the programs installed on the system by root, and nothing else (like, not even a shell script, etc...)???

I always get annoyed by these, but anyway...

The most important part of all malware ( viruses trojan worms etc. ) Is not what they do, the first thing to think about is the vector of infection.

This is the hardest part, this is where most of the Malware writers concentrate their time, and is one of the reasons Linux has been spared. Its very hard to infect, we don't have IE, or Outlook.

I don't mean their security holes either ( although their big enough ). All the e-mail clients won't execute things without explicity asking the user ( most won't execute anything at all ever ). Most won't even display HTML mail without asking first. This is the single biggest vector out the window.

We don't do ActiveX either in our browsers, thats the second biggest vector closed. We have stricter and more rigoursly enforced permissions on executing anything from within the browser. there goes the third...

Some people will say that you can still have people download things ( either from the net or from e-mail ) and execute the stuff themselves. This is true, and if their that stupid, then they DO need something like a virus scanner ( though they'll probably ignore that as well, I've seen it happen ). The important thing here is they'll only destroy their home directory at most. If your a sys admin at a company then you should have backups anyway of all the docs. If your at home this is a diffrent matter, but you should still have backups of whats important. After all viruses aren't the only thing that can damage your system.

So even when the worst comes to the worst, Linux tries to still protect you from yourself. and the computer will still work, a reboot later and the virus is deleted. You may even be able to recover stuff.

Exploits are a diffrent matter, and we must be ever vigilant of them. A virus scanner will not help you here. Although you can configure the rest of the system to help harden yourself against them. and BACKUP...

I always run a virus-scanner in Windows, its needed.

Anything you do that restricts a user is likely to cuase them to either a) turn it off or b) switch to a different OS, so those types of solutions tend to be limited. Social engineering attacks are not solveable by technology, or at least not very easily solved. For that reason it's more efficient to concentrate on preventing worms (self-propagating malware) and privilege escalation (taking user privilege and elevating it to root privilege).

The road blocks you can throw up against worms and privilege escalation are many. You can ship with a secure configuration by default (like OpenBSD) so there are no externally available daemons to exploit. You can install a good default firewall (but one that gives the user ability to allow their traffic through easily, so they don't turn it off). You can make sure that all the daemons and services that are included with your installation have good, safe default configurations. You can implement privilege separation and/or revoking in services so that compromising a service doesn't allow access to the rest of the system (localizing and minimizing the damage). You can install stack protection to prevent buffer and heap overflows, you can harden the compiler to build things as safely as possible and warn about unsafe C functions. There is a huge list of possibilities, most of which are included in OpenBSD by default.

This isn't to say everyone should switch to OpenBSD, but certainly a lot of Linux distros could copy a lot of the work and concepts that the OpenBSD team has done to secure their OSs. Interestingly, Microsoft imported some rather significant bits of code from OpenBSD for their Services for UNIX bundle, and where do you suppose they got the idea for their stack guard in Win2K3 and the NX protection in WinXP SP2?. For instance, Red Hat working to implement SELinux as part of the kernel by default in their next release of EL is a very good move. Every Linux distro should follow that strategy and include kernel hardening. In fact, the Linux kernel itself should just streamline in all these things so it's not up to the individual distros to do all that additional work and duplication of effort. Why Linux has the Linux kernel not integrated things such as PaX protection by default? I don't know, but there has to be some kind of explanation (if there isn't, that's just arrogant on the kernel developer's part).

Back to protecting the users against themselves for a second, file system and process ACLs and Manditory Access Controls can help the situation a little by giving more granular control. Those are the types of things that grsec and SELinux help with. Ultimately, code authentication is probably close to the final solution, but we're a long way away from that, and for it to truly work it needs hardware support, but that's a whole new pandora's box.

First, simply rebooting a system will not clear a virus, no matter what OS. If the malware only affects the user, it can still write itself out to disk and place itself in a user's .login/.profile/.xinitrc file. It could also modify the user's path in .login/.profile/.<shell>rc, etc so that if the user calls ls, ps, find, top, etc it all gets directed to an infected version in the user's own directory rather than the real programs (which might be outside the malware's realm of influence).

Also, while the computer might still be able to boot into Linux after a user becomes infected, if the user's definition of "working" is "can launch X and use the apps that I understand in a graphical environment", than no the system is not gauranteed to be "working". The user might be presented with a stark login terminal and find, when they try to login, that their password is not accepted. Sure you might be able to login as root (better hope you had sudo set to require a password), but now you're off in *n*x sysadmin land, which few users know how to deal with (try walking your average user through file system recovery with TCT).

Also, a lot of this assumes that users haven't lowered any barriers (or that they aren't low by default). The sudo example, for instance, is a good one. Many tutorials show you how to setup sudo access to all commands without requiring a password. At that point you're just a "sudo passwd root" away from being rooted.

okay, but not everybody minds being restricted, specially if it makes things more secure... as long as they can do the things they need to do (for example: surf the web, send/receive email, chat, etc.)...

also, in a corporate environment, the user probably won't even have a say-so as to what is installed on the computer.... they have to use what the company gives them, period... so restricting the things they can execute isn't an issue...

in that sort of situation, how can one configure an install so that only the binaries and scripts whitelisted by root can be run by regular users??

this would be great, even outside of the corporation... i mean, you wouldn't have to worry about "grandma" running an evil shell script that some cracker emailed to her with a social engineering message... the shell script could contain commands to delete all the files in her home folder, and normally when the she runs it, everything is deleted... but with some kinda control, she won't be able to run this script, unless root allows her to...

i'm just thinking-out-loud here...

i'd really like to know how to make some kinda "whitelist" for scripts and binaries... i think it would be a cool option...

File system ACLs and MAC or RBAC. Look at grsec and SELinux, those will do approximately what you want. You can also do kind of a poor-man's hardening by doing chmod o-x to all binaries and exectuables that are not required by ordinary users. You can control access to them by having a group that is allowed to access those restricted executables and setting the group ownership on those files (chgrp). It get's tricky if you need to cordinate access by more than one group, so at that point you're looking at add-on software.